Event 560, 562 When No Objects Have Been Selected for Auditing

Article translations Article translations
Article ID: 149401 - View products that this article applies to.
This article was previously published under Q149401
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all


If you choose Audit on the Policies menu and enable the Auditing File and Objects Access option in User Manager for Domains without specifying any objects to be audited, event 560 and event 562 will be logged in the security log file. Any action performed by the Administrator account in User Manager for Domains (or Server Manager) will be logged as an event 560 for the Administrator account and as an event 562 for the System account.


By default, the Auditing File and Objects Access option audits all action performed in User Manager for Domains (and in Server Manager).


This is by design. Security Account Manager (SAM), by default, assigns security access control lists (SACLs) to all objects it creates, and managing them with User Manager causes an object access audit to occur.


Article ID: 149401 - Last Review: February 28, 2014 - Revision: 2.1
  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
kbnosurvey kbarchive kbnetwork KB149401

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com